NSS Config Options

NSS Config Options Format

The specified ciphers will be allowed by policy, but an application may allow more by policy explicitly:

config="allow=curve1:curve2:hash1:hash2:rsa-1024..."

Only the specified hashes and curves will be allowed:

config="disallow=all allow=sha1:sha256:secp256r1:secp384r1"

Only the specified hashes and curves will be allowed, and RSA keys of 2048 or more will be accepted, and DH key exchange with 1024-bit primes or more:

config="disallow=all allow=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-dh=1024"

A policy that enables the AES ciphersuites and the SECP256/384 curves:

config="allow=aes128-cbc:aes128-gcm::HMAC-SHA1:SHA1:SHA256:SHA384:RSA:ECDHE-RSA:SECP256R1:SECP384R1"

Turn off md5

config="disallow=MD5"

Turn off md5 and sha1 only for SSL

config="disallow=MD5(SSL):SHA1(SSL)"

Disallow values are parsed first, and then allow values, independent of the order in which they appear.

Future key words (not yet implemented):
enable: turn on ciphersuites by default.
disable: turn off ciphersuites by default without disallowing them by policy.
flags: turn on the following flags:
     ssl-lock: turn off the ability for applications to change policy with
               the SSL_SetCipherPolicy (or SSL_SetPolicy).
     policy-lock: turn off the ability for applications to change policy with
               the call NSS_SetAlgorithmPolicy.
     ssl-default-lock: turn off the ability for applications to change cipher
               suite states with SSL_EnableCipher, SSL_DisableCipher.

ECC Curves

PRIME192V1
PRIME192V2
PRIME192V3
PRIME239V1
PRIME239V2
PRIME239V3
PRIME256V1
SECP112R1
SECP112R2
SECP128R1
SECP128R2
SECP160K1
SECP160R1
SECP160R2
SECP192K1
SECP192R1
SECP224K1
SECP256K1
SECP256R1
SECP384R1
SECP521R1
C2PNB163V1
C2PNB163V2
C2PNB163V3
C2PNB176V1
C2TNB191V1
C2TNB191V2
C2TNB191V3
C2ONB191V4
C2ONB191V5
C2PNB208W1
C2TNB239V1
C2TNB239V2
C2TNB239V3
C2ONB239V4
C2ONB239V5
C2PNB272W1
C2PNB304W1
C2TNB359V1
C2PNB368W1
C2TNB431R1
SECT113R1
SECT131R1
SECT131R1
SECT131R2
SECT163K1
SECT163R1
SECT163R2
SECT193R1
SECT193R2
SECT233K1
SECT233R1
SECT239K1
SECT283K1
SECT283R1
SECT409K1
SECT409R1
SECT571K1
SECT571R1

Hashes

MD2
MD4
MD5
SHA1
SHA224
SHA256
SHA384
SHA512

MACS

HMAC-SHA1
HMAC-SHA224
HMAC-SHA256
HMAC-SHA384
HMAC-SHA512
HMAC-MD5

Ciphers

AES128-CBC
AES192-CBC
AES256-CBC
AES128-GCM
AES192-GCM
AES256-GCM
CAMELLIA128-CBC
CAMELLIA192-CBC
CAMELLIA256-CBC
SEED-CBC
DES-EDE3-CBC
DES-40-CBC
DES-CBC
NULL-CIPHER
RC2
RC4
IDEA

SSL Key exchanges

RSA
RSA-EXPORT
DHE-RSA
DHE-DSS
DH-RSA
DH-DSS
ECDHE-ECDSA
ECDHE-RSA
ECDH-ECDSA
ECDH-RSA

Restrictions for asymmetric keys (integers)

RSA-MIN
DH-MIN
DSA-MIN

Constraints on SSL Protocols Versions (integers)

TLS-VERSION-MIN
TLS-VERSION-MAX

Constraints on DTLS Protocols Versions (integers)

DTLS-VERSION-MIN
DTLS-VERSION-MAX

Policy flags for algorithms

SSL
SSL-KEY-EXCHANGE
KEY-EXCHANGE
CERT-SIGNATURE
SIGNATURE
ALL
NONE